Skip to content

[FEATURE] Proposal: ATR agent-threat detection signatures for content-layer AI threat indicators #249

Description

@eeee2345

Hi cert-ee maintainers,

Proposing a contribution path for content-layer AI agent threat detection signatures in Cuckoo3.

Context: I maintain Agent Threat Rules (ATR, https://github.com/Agent-Threat-Rule/agent-threat-rules), an MIT-licensed detection-rule corpus for AI agent runtime threats. 348 rules at v2.1.4 covering prompt injection, tool poisoning, context exfiltration, agent loop exploits. In production at Microsoft Agent Governance Toolkit, Cisco AI Defense (314-rule pack), MISP / CIRCL Luxembourg (merged 2026-05-10 by adulau, MISP project lead), and OWASP Agent-Security-Regression-Harness. 2 hours 16 minutes from MSRC Semantic Kernel CVE-2026-26030 disclosure (2026-05-07) to npm-published detection rules (2026-05-11).

Why Cuckoo3: AI-agent attacks increasingly ride traditional malware delivery chains. Prompt injection payloads bundled in PDF / document loaders that target downstream LLM-RAG pipelines, malicious MCP server manifests packaged in installers, agent skill manifests delivered alongside infostealer / cryptojacker combos. Cuckoo3's pattern signature framework (processing/cuckoo/processing/post/eventconsumer/patternsigs.py + signatures.zip) already fires on commandline, file write, registry write, and mutant events from sandbox runs. An AI-agent threat signature pack can fire on those same event kinds when an installer drops a malicious agent skill manifest, executes a malicious mcp add command, or writes to .claude/skills/ paths.

Scope proposal:

  • New YAML pattern pack under signatures.zip / pattern/windows/ (and pattern/linux/ when relevant) covering AI-agent-specific installer behaviors
  • 15 CVE-anchored signatures to start, drawn from ATR rules tied to public CVE-2026-* identifiers
  • Fires on existing event kinds (commandline, file write, registry, mutant); no new event types, no Python plugin code, no scanner changes
  • All triggers Hyperscan-regex-compatible per the existing PatternScanner contract
  • No network calls, no LLM in the hot path, deterministic regex matching
  • Optional companion: a small YARA static set for AI-agent skill manifest fingerprints under yara/static/

Three questions before any code:

  1. Is the pattern signature framework open to AI-agent installer behaviors (commandlines that install agent skills / MCP servers / Claude plugins) alongside the existing malware-family pattern packs, or is the framework scope-restricted to traditional malware indicators only?
  2. Cross-CSIRT precedent: CybercentreCanada/Maco recently accepted external PR from lachlan-acsc (ACSC Australia). PR remove deprecated utcnow method #227 from external contributor timurivanov21 was merged here. Are you open to receiving a YAML pattern pack PR from an external maintainer, or would you prefer a different intake shape (e.g. RP template only, or a separate signatures-pack repo)?
  3. EUPL-1.2 + MIT compatibility: ATR rules are MIT. I am happy to dual-license the contributed YAML pack so the Cuckoo3 tree stays EUPL-1.2 clean, or to wrap the pack as an optional add-on. Which arrangement do you prefer?

Honest about limits:

  • Regex-based; does not catch paraphrase bypasses
  • ATR rule corpus is predominantly English today; multilingual extension in progress with Japan AISI and CISPA Helmholtz
  • Signatures only fire when AI-agent threat indicators surface in sandbox-observed behaviors, not a substitute for traditional malware detection

Wave-1 outreach context (transparency): this proposal is part of a 3-target wave this week including CCCS Canada (PR to CCCS-Yara) and Australia ACSC (Issue to azul). Estonia CERT-EE is the third leg.

Repo: https://github.com/Agent-Threat-Rule/agent-threat-rules
Maintainer: Adam Lin, adam@agentthreatrule.org
Foundation: Panguard AI Inc. (Delaware C-Corp, filed 2026-05-12)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions